Federation and Identity Brokering on OpenStack using OpenID and Keycloak + FreeIPA
Prerequisites
- FreeIPA and OpenStack is already configured. OpenStack is configured using Kolla Ansible.
- Keycloak is already configured and federated with FreeIPA (directory service).
- In this example the current IP and port that has been used
Keycloak: http://10.20.20.14:8081 OpenStack: http://10.20.20.100:5000
Setup OpenID configuration on Keycloak
This operation is performed on the Keycloak Dashboard.
Go to the realm that previously created, for example "freeipa-realm", select
Configure > Clients > Create, then fill the following sectionClient ID: openstack-client Client Protocol: openid-connectAdjust the authentication flow using OpenID.
Client ID: openstack-client Client Protocol: openid-connect Access Type: Confidential # define the username/password mechanism Standard Flow Enabled: On Implicit Flow Enabled: On Direct Access Grants Enabled: On Valid Redirect URIs *: https://10.20.20.100:5000/v3/OS-FEDERATION/identity_providers/openidtest/protocols/openid/auth Backchannel Logout Session Required: OnNote: The valid redirect URIs must match the endpoint on OpenStack Keystone
On
Clients > Credentialstab, you will see the Client ID and Secret.Client Authenticator: Client ID Secret: XXXXXXXXXXXXX
Configure OpenID on Keystone and Horizon
This operation is performed on the OpenStack host.
Create directories for Keystone and Horizon services. This directory is used to put the configured files.
$ sudo mkdir /etc/kolla/config/horizon $ sudo mkdir /etc/kolla/config/keystoneCreate the file and change the owner.
$ sudo touch /etc/kolla/config/horizon/local_settings $ sudo touch /etc/kolla/config/keystone/keystone.conf $ sudo touch /etc/kolla/config/keystone/wsgi-keystone.conf $ sudo chown -R $USER:$USER /etc/kolla/config/horizon/ $ sudo chown -R $USER:$USER /etc/kolla/config/keystone/
Configure federating resource on Keystone service
Create identity provider object on Keystone
Remote id value is an issuer on OpenID. To see the issuer you can obtained from the OpenID configuration. By accessing the Keycloak
.well-known/openid-configurationendpoint.For example:
http://10.20.20.14:8081/auth/realms/freeipa-realm/.well-known/openid-configurationThen, create the object by running the command below
$ openstack identity provider set --remote-id http://10.20.20.14:8081/auth/realms/freeipa-realm openidtestCreate a mapping rules for remote user attribute. The file created is in the form of json with the name rules.json.
$ cat > rules.json <<EOF [ { "local": [ { "user": { "name": "{0}" }, "group": { "domain": { "name": "Default" }, "name": "federated_users" } } ], "remote": [ { "type": "HTTP_OIDC_ISS" } ] } ] EOF $ openstack mapping create --rules rules.json openidtest_mappingCreate a group for the role assignment on Keystone
$ openstack group create federated_usersCreate a project on Keystone
$ openstack project create federated_projectDefine the roles for group members
$ openstack role add --group federated_users --project federated_project memberCreate a federation protocol for the identity provider based on the mapping rules that has been created.
$ openstack federation protocol create openid --mapping openidtest_mapping --identity-provider openidtestNote: make sure the federation protocol name matches the specified valid keystone authentication rules, such as openid and saml2.
Configure Apache Authentication Module to OpenID-Connect
Create a protected endpoint
# Keystone <Location /v3/OS-FEDERATION/identity_providers/<IDENTITYPROVIDER>/protocols/<PROTOCOL>/auth> Require valid-user AuthType [...] ... </Location> # Horizon (SSO) <Location /v3/auth/OS-FEDERATION/websso/<PROTOCOL>> Require valid-user AuthType [...] ... </Location> <Location /v3/auth/OS-FEDERATION/identity_providers/<IDENTITYPROVIDER>/protocols/<PROTOCOL>/websso> Require valid-user AuthType [...] ... </Location>Configure the authentication module
This configuration is for Apache web server on virtualhost keystone, set to OIDC option.
OIDCClaimPrefix "OIDC-" OIDCResponseType "id_token" OIDCScope "openid email profile" OIDCProviderMetadataURL https://<URL_IDENTITY_PROVIDER>/.well-known/openid-configuration OIDCClientID <openid_client_id> OIDCClientSecret <openid_client_secret> OIDCCryptoPassphrase <random string> # random string OIDCRedirectURI https://<URL_HORIZON>/v3/OS-FEDERATION/identity_providers/<IDENTITYPROVIDER>/protocols/<PROTOCOL>/authThen add the configuration to
/etc/kolla/config/keystone/wsgi-keystone.conf.<VirtualHost *:5000> …. …. ServerName https://10.20.20.100:5000 OIDCClaimPrefix "OIDC-" OIDCResponseType "id_token" OIDCScope "openid email profile" OIDCProviderMetadataURL http://10.20.20.14:8081/auth/realms/freeipa-realm/.well-known/openid-configuration OIDCClientID openstack-client # keycloak client id OIDCClientSecret xxxx-xxxx-xxxx-xxxx-xxxx # keycloak client secret OIDCCryptoPassphrase openstack OIDCRedirectURI https://10.20.20.100:5000/v3/OS-FEDERATION/identity_providers/openidtest/protocols/openid/auth # Keystone <Location /v3/OS-FEDERATION/identity_providers/openidtest/protocols/openid/auth> Require valid-user AuthType openid-connect LogLevel debug </Location> # Horizon <Location /v3/auth/OS-FEDERATION/websso/openid> Require valid-user AuthType openid-connect </Location> <Location /v3/auth/OS-FEDERATION/identity_providers/openidtest/protocols/openid/websso> Require valid-user AuthType openid-connect </Location> ... ... ... </VirtualHost>- OIDCProviderMetadataURL is located in
freeipa-realm > Configure > Realm Settings, then select Endpoints and click "Endpoints OpenID Endpoint Configuration". *
- OIDCProviderMetadataURL is located in
Configure Keystone
This configuration is performed on /etc/kolla/config/keystone/keystone.conf.
Add the authentication method.
[auth] methods = password,token,saml2,openidConfigure the remote ID attribute.
[openid] remote_id_attribute = HTTP_OIDC_ISS [federation] remote_id_attribute = HTTP_OIDC_ISSAdd the Trusted Dashboard (WebSSO).
[federation] trusted_dashboard = https://10.20.20.100/auth/websso/ sso_callback_template = /etc/keystone/sso_callback_template.html
Configure Horizon
The configuration is performed on /etc/kolla/config/horizon/local_settings.
Enable the SSO
WEBSSO_ENABLED = TrueConfigure the provider for SSO
WEBSSO_CHOICES = ( ("credentials", _("Keystone Credentials")), ("openidtest_openid", "Keycloak - OpenID Connect"), ) # NOTE: The value is expected to be a tuple formatted as: (<idp_id>, <protocol_id>). WEBSSO_IDP_MAPPING = { "openidtest_openid": ("openidtest", "openid"), }Reconfigure OpenStack
$ kolla-ansible -i multinode reconfigure
Reference
http://wsfdl.com/openstack/2016/02/01/Keystone-Google-Federation-With-OpenID.html
https://www.meshcloud.io/2017/08/25/federated-authentication-with-the-openstack-cli/
https://docs.openstack.org/keystone/pike/configuration/samples/keystone-conf.html